Malicious PDF — malware analysis report

Static analysis result for SHA-256 71afae909af4bd9a…

MALICIOUS

PDF

28.3 KB Created: 2020-10-27 10:31:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 594cfe0cbb7ae6b0d8d949d8d1041d96 SHA-1: f481282de006b8b699d6c52bf90fc74780dbaabb SHA-256: 71afae909af4bd9a65b311a5950e9d190e3ff6804f2c8f6e03514d7e24005fdb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the redirector found in the heuristics. The presence of numerous external PDF links suggests a link farm or a method to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=the+fourth+missionary+talk
    • https://pumowurunumig.weebly.com/uploads/1/3/2/7/132740285/jupafudilorafaveg.pdf
    • https://fixasamajiwige.weebly.com/uploads/1/3/4/3/134318971/dalidamafifibun.pdf
    • https://pisanofinupu.weebly.com/uploads/1/3/1/4/131437881/8332929.pdf
    • https://gumomamomav.weebly.com/uploads/1/3/1/3/131398069/rapaf.pdf
    • https://kolerekum.weebly.com/uploads/1/3/4/3/134350376/1340558.pdf
    • https://gonerogad.weebly.com/uploads/1/3/1/4/131438616/venasufifiseka.pdf
    • https://uploads.strikinglycdn.com/files/6d2d00d2-7a49-4a76-b77d-a0f047c21b9b/vonox.pdf
    • https://uploads.strikinglycdn.com/files/916b8bf3-0da6-4fb4-a0d8-2b0d05c4a7a0/57635474617.pdf
    • https://uploads.strikinglycdn.com/files/b59e853c-b91f-4a87-9308-d31bc55b97cd/asvab_afqt_for_dummies.pdf
    • https://s3.amazonaws.com/vibuvomomuv/aligarh_movement_in_hindi.pdf
    • https://s3.amazonaws.com/fasanag/19677431774.pdf
    • https://s3.amazonaws.com/mejigavukolu/wonidarolobez.pdf
    • https://uploads.strikinglycdn.com/files/f037ff0f-7052-4018-87e0-b3807eb4138d/mebarufeloged.pdf
    • https://uploads.strikinglycdn.com/files/04c05612-99df-4486-8941-2596a6331559/nejawijumijidoxilokapik.pdf
    • https://uploads.strikinglycdn.com/files/ea67d394-559f-4312-bec4-d88e34ba1634/golaxova.pdf
    • https://uploads.strikinglycdn.com/files/3849b268-1141-4c4c-b174-5aab62bcb45c/17381689422.pdf
    • https://uploads.strikinglycdn.com/files/982e93c1-83c8-4a74-89af-cc6ff0ca799d/34799195551.pdf
    • https://s3.amazonaws.com/jipowumat/cdn_cloudflare_jspdf.pdf
    • https://s3.amazonaws.com/zuxadol/50065583008.pdf
    • https://s3.amazonaws.com/fasanag/vagelujufus.pdf
    • https://s3.amazonaws.com/mizeteb/assistant_hotel_manager_job_description.pdf
    • https://s3.amazonaws.com/tiluwisulepam/51058570102.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.